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ABSTRACT 

Getting agents in the Internet, and in networks in general, 
to invest in and deploy security features and protocols is 
a challenge, in particular because of economic reasons aris- 
ing from the presence of network externalities. Our goal in 
this paper is to model and investigate the impact of such 
externalities on security investments in a network. 

Specifically, we study a network of interconnected agents 
subject to epidemic risks such as viruses and worms where 
agents can decide whether or not to invest some amount 
to deploy security solutions. We consider both cases when 
the security solutions are strong (they perfectly protect the 
agents deploying them) and when they are weak. We make 
three contributions in the paper. First, we introduce a gen- 
eral model which combines an epidemic propagation model 
with an economic model for agents which captures network 
effects and externalities. Second, borrowing ideas and tech- 
niques used in statistical physics, we introduce a Local Mean 
Field (LMF) model, which extends the standard mean-field 
approximation to take into account the correlation structure 
on local neighborhoods. Third, we solve the LMF model in a 
network with externalities, and we derive analytic solutions 
for sparse random graphs of agents, for which we obtain 
asymptotic results. We find known phenomena such as free 
riders and tipping points. We also observe counter-intuitive 
phenomena, such as increasing the quality of the security 
technology can result in a decreased adoption of that tech- 
nology in the network. In general, we find that both situa- 
tions with strong and weak protection exhibit externalities 
and that the equilibrium is not socially optimal - therefore 
there is a market failure. Insurance is one mechanism to 
address this market failure. In related work, we have shown 
that insurance is a very effective mechanism [3j |4] and ar- 
gue that using insurance would increase the security in a 
network such as the Internet. 
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1. INTRODUCTION 

Users and computers in the Internet face a wide range 
of security risks. Of particular concern, are epidemic risks, 
such as those propagated by worms and viruses. Epidemic 
risks depend on the behavior of other entities in the network, 
such as whether or not those entities invest in security solu- 
tions to minimize their likelihood of being infected. Our goal 
in this paper is to analyze the strategic behavior of agents 
facing such epidemic risks. 

The propagation of worms and viruses |16l [7], but also 
many other phenomena in the Internet such as the propa- 
gation of alerts and patches [14] or of routing updates [5], 
can be modeled using epidemic spreads through a network. 
As a result, there is now a vast body of literature on epi- 
demic spreads over a network topology from an initial set 
of infected nodes to susceptible nodes. However, much of 
that work has focused on modeling and understanding the 
propagation of the epidemics proper, without considering 
the impact of network effects and externalities. 

Recent work which did model such effects has been lim- 
ited to the simple case of two agents, i.e. a two-node net- 
work. For example, reference [9] proposes a parametric 
game-theoretic model for such a situation. In the model, 
agents decide whether or not to invest in security and agents 
face a risk of infection which depends on the state of other 
agents. The authors show the existence of two Nash equilib- 
ria (all agents invest or none invests), and suggest that tax- 
ation or insurance would be ways to provide incentives for 
agents to invest (and therefore reach the "good" Nash equi- 
librium). However, their approach does not scale to the case 
of N agents, and it does not handle various network topolo- 
gies connecting those agents. Our work addresses precisely 
those limitations. 

The rest of the paper is organized as follows. In Section[2] 
we describe our model for epidemic risks with network effects 
and externalities. In Section[3] we introduce our Local Mean 
Field Model (LMF) and state asymptotic results that can be 
obtained with LMF. In Section [3] we use the LMF model 
to examine both cases when agents invest in strong security 
solutions (which perfectly protect the agents deploying them 
against propagated risks) and in weak solutions. We find 
known phenomena such as free riders and tipping points 
[4]. We also observe counter-intuitive phenomena, such as 
increasing the quality of the security technology can result 
in a decreased adoption of that technology in the network. 
In Section [H we discuss our results and conclude the paper. 



2. A MODEL FOR EPIDEMIC RISKS AND 
NETWORK EFFECTS 

2.1 Economic model for the agents 

We model agents using the classical expected utility model, 
where agents attempt to maximize a utility function u. We 
assume that agents are rational and that they are risk averse, 
i.e. their utility function is concave (see Proposition 2.1 in 
[S]). Risk averse agents dislike mean-preserving spreads in 
the distribution of their final wealth. 

We denote by w the initial wealth of the agent. The risk 
premium n is the maximum amount of money that one is 
ready to pay to escape a pure risk X, where a pure risk X 
is a random variable such that K[X] = 0. The risk premium 
corresponds to an amount of money paid (thus decreasing 
the wealth of the agent from w to w — tt) which covers the 
risk; hence, tt is given by the following equation: u[w — tt] = 
E[u[w + X]}. 

Each agent faces a potential loss £, which we take in this 
paper to be a fixed (non-random) value. We denote by p the 
probability of loss or damage. There are two possible final 
states for the agent: a good state, in which the final wealth 
of the agent is equal to his initial wealth w, and a bad state 
in which the final wealth is w — I. If the probability of loss 
is p > 0, the risk is clearly not a pure risk. The amount of 
money m the agent is ready to invest to escape the risk is 
given by the equation: pu[w — £] + (1 — p)u[w] — u[w — m]. 
We clearly have m > p£ thanks to the concavity of u. We 
can actually relate m to the risk premium defined above: 

m = p£ + n\p]. 

An agent can invest some amount in self-protection, which 
in practice would reflect an investment in antivirus or anomaly 
detection solutions. If an agent decides to invest in self- 
protection, we say that the agent is in state S (as in Safe or 
Secure). If the agent decides not to invest in self-protection, 
it is in state N (Not safe). If the agent does not invest, its 
probability of loss is p . If it does invest, for an amount 
which we assume is a fixed amount c, then its loss probabil- 
ity is reduced and equal to p s < p N . 

In state N, the expected utility of the agent is p N u[w— £] + 
(1 — p N )u[w]; in state S, the expected utility is p s u[w — £ — 
c] + (1 — p )u[w — c]. Using the definition of risk premium, we 
see that these quantities are equal to u[w — p N £ — ir[p N ]] and 
u[w — c — p s £ — Ti[p s ]}, respectively. Therefore, the optimal 
strategy is for the agent to invest in self-protection only if 
the cost for self-protection is less than the threshold 

c<(p N ~p S )£ + n[p N ]-n[p S ]. (1) 

2.2 Epidemic model 

We describe now our model for the epidemic risk. Agents 
are represented by vertices of a graph. We assume that an 
agent in state S has a probability p~ of direct loss and an 
agent in state N has a probability p + of direct loss with 
p + > p~ . Then any infected agent contaminates neigh- 
bors independently of each others with probability q~ if the 
neighbor is in state S and q + if the neighbor is in state N, 
with q + > q~ . 

Special cases of this model are examined in [TO], where 
q + = q~ , and in [12], where agents in state S are completely 
secure and cannot be infected, i.e. p~ = q~ — 0. 

Let G = (V, E) be a graph on a countable vertex set V. 



Agents are represented by vertices of the graph. For i,j 6 V , 
we write i ~ j if (i, j) £ E and we say that agents i and j are 
neighbors. The state of agent i is represented by Xi\ agent 
i is infected (respectively healthy) iff X , = 1 (respectively 
Xi = 0). 

We now describe the fundamental recursion satisfied by 
the vector X. We first introduce the following sequences of 
independent identically distributed (i.i.d.) random variables 
(r.v.): 

• (A s , Af , i G N) Bernoulli r.v. with parameter p~ "; 

• (^^,^4^,1 6 N) Bernoulli r.v. with parameter p + \ 

• (Bf , Bfiji, j 6 N) Bernoulli r.v. with parameter q~ ; 

• (B^ , ,i, j £ N) Bernoulli r.v. with parameter q + . 

Let Di = 1 if agent i is in state S and Di = otherwise. 
We define fa = DiAf + (1 - Di)Af . The variable fa models 
the direct loss: if fa = 1 there is a direct loss for agent i, 
otherwise there is no direct loss for agent i. We also define 
6ji = A-Bfi + (1 - Di)Bfl. The variable 9 3l models the 
possible contagion from agent j to agent i: if Oji = 1, there 
is contagion otherwise there is no contagion. 

Then the fundamental recursion satisfied by the vector 
X = {X,,i£V)is 

i-Xi = (l-fa^i-eaXj). (2) 
2.3 Epidemic risks for interconnected agents 

In order to completely specify our model, we still need to 
define how to choose the variables Di, i.e. whether agent i 
invests in self-protection (corresponding to Di = 1) or not 
(A = 0). 

First, note that the probability of loss for agent i is given, 
depending on whether or not it invests in self protection, by 

pf := E[Xi\Di = 1], or, (3) 
pf := K[Xi\Di = 0]. (4) 

In view of ((TJ, the best response of agent i is given by: 

A = l(Ci < (pf - P f )£i + TTibf ] - TTibf ]). (5) 

where pf and pf 1 are given by ((3J and ((4} . 

Our model is defined by the graph G (which topology is 
arbitrary) and the set of Equations (I2I3I4I5|I . In the rest of 
this paper, we will make a simplifying assumption: we con- 
sider a heterogeneous population, where agents differ only 
in self-protection cost and potential loss. The cost of protec- 
tion should not exceed the possible loss, hence < C; < £i. 
The cost d and the potential loss £i are known to agent i 
and varies among the population. Hence we model this het- 
erogeneous population by taking the sequence (ci,£ii £ N) 
as a sequence of i.i.d. random variables independent of ev- 
erything else. 

So far, we have not yet specified the underlying graph. 
We will consider random families of graphs G' n ' with n ver- 
tices and give asymptotic results as n tends to infinity. In 
all cases, we assume that the family of graphs G'™- 1 is inde- 
pendent of all other processes. 



3. LOCAL MEAN FIELD MODEL 

In this section, we introduce our Local Mean Field (LMF) 
model. It extends the standard mean-field approximation by 
allowing to model the correlation structure on local neigh- 
borhoods. It can be shown that the LMF gives the exact 
asymptotic behavior of the process X as the number of ver- 
tices tends to infinity for sparse random graphs with asymp- 
totic given degree distribution P(d) (see [B] for a definition). 
A rigorous proof of this fact can be found in [10] for a par- 
ticular case of the model described in Section T2.2I We will 
not attemp to give a general proof here. The main tool is 
the notion of local weak convergence [2]. 

3.1 Exact results for trees 

Since the graphs we are considering can be considered lo- 
cally to be like trees (with high probability) , we first examine 
the case where G — T is a tree with nodes , 1, . . . and a fixed 
root . 

For a node i, we denote by gen(i) £ N the generation of i, 
i.e. the length of the minimal path from to i. Also we denote 
i — > j if i is a children of j, i.e. gen(i) = gen(j) + 1 and j is 
on the minimal path from to i. For an edge £ E with 
i — > j, we denote by Ti->j the sub-tree of T with root i when 
deleting edge from T. We have a family of trees Ti->j 
and we run the epidemic model according to equation ((2)1 
with the same variables (B? , B? , B^ , B%, a, £», i, j £ N) on 
each tree. Hence the epidemics on the various subtree of T 
are coupled thanks to these random variables. We say that 
node i is infected from Ti^j if the node i is infected in . 
We denote by Yi the corresponding indicator function with 
value 1 if i is infected from Ti->j and otherwise. A simple 
induction shows that the recursion J2J becomes: 

1 - Yj = (1 - (1 - fci Yfc) . (6) 

fc — *i 

If the tree T is finite, we can compute all the Yi recursively 
starting from the leaves with Yt — <j>£ for any leaf I. As a 
consequence (and this is the main difference with ([2]) which 
makes the model on a tree tractable), the random variables 
Yjt with k — » i in the right-hand term of ([6]) are independent 
of each others and independent of the Qu%- For any node 
i £ T, we just defined Yi and the family (Y iy i £ T) is a 
tree- indexed process called a Recursive Tree Process (RTP). 

Consider now the case where T is a Galton- Watson branch- 
ing process with offspring distribution P* . The tree T is now 
possibly infinite but it is still possible to define an invariant 
RTP on T. One way to construct it consists in defining a 
RTP for each finite depth-d tree and then show that these 
RTPs converge to an invariant RTP as the depth d tends to 
infinity [T]. We first introduce the Recursive Distributional 
Equation (RDE): 

JV* 

Fil-(1-^I](1-W), (7) 

fc=i 

where iV* has distribution P* , <f> = DA S + (1 - D)A N , 
9 k = DB% + (1 - D)B% where D is a Bernoulli r.v. with 
parameter 7, Y and Y k are i.i.d. copies. We also assume 
that the random variables D, A s , A N , B k , B k and Y k are 
independent of each others. Note however that <f> an d the 
9's are not independent of each others. RDE for RTP plays 
a similar role as the equation fj, — fiK for the stationary 



distribution of a Markov chain with kernel K, see [Tj. The 
following result (proved in Appendix 17. 1[) solves the RDE. 

Proposition 1. Forp + > 0, the RDE ff3)) has a unique 
solution: Y is a Bernoulli random variable with parameter 
h(pf), the unique solution in [0, 1] of 

h = 1 - 7(1 - p-)G N (l - q~h) - (1 - 7)(1 - P + )G N {1 - q + h) 

where Gjv* (x) = K[x N ] is the generatinq function of the 
distribution P* . Moreover the function 7 1— > ^1(7) is non- 
increasinq in 7. 

As a consequence, we see that it is possible to construct an 
invariant version of the RTP on the tree T where for each 
k > 0, the sequence (Yi,i £ T, gen(i) = k) is a sequence of 
i.i.d. Bernoulli random variables with parameter h, see [T|. 

3.2 LMF associated to a random network 

Our LMF model is characterized by the connectivity dis- 
tribution P(d) but the underlying tree T as to be slightly 
modified compare to previous section: if we start with a 
given vertex then the number of neighbors (the first gener- 
ation in the branching process) has distribution P but this 
is not true for the second generation. Let T be a Galton- 
Watson branching process with a root which has offspring 
distribution P and all other nodes have offspring distribu- 
tion P* given by P*(d - 1) = ^p(d) for a11 d ^ L 

Remark 1. Note that if P is the Poisson distribution 
with parameter A which is the asymptotic deqree distribution 
for Erdos-Renyi qraph G(n, X/n), then P* is also Poisson 
with mean A. 

We now explain how to define the LMF based on the analysis 
made in previous section. Clearly, the crucial point in recur- 
sion ((SJl is the fact that the Yi can be computed "bottom-up". 
However a node can also be infected from its parent and Yi 
is NOT a good approximation of the real process Xi. Indeed 
the only node for which previous analysis gives an approxi- 
mation of the process X is for the root and the Yi's encode 
the information that the root is infected by an agent in the 
subtree of T "below" i. 
Hence we define 

JV 

X(D)±l-(l-<f>)H(l-9 k Y k ), (8) 

fe=i 

where N has distribution P, <j> and 9k are the same as in (|13|l 

and the Yfe's are i.i.d. Bernoulli r.v. with parameter ^(7), 

i.e. satisfying the RDE (|13[1 with iV* having distribution 
p, 

3.3 Asymptotic results 

We now show how to get quantitative results from our 
LMF. The goal of Section [4] is to derive such results for 
various cases. 

We consider a family of random graphs on n vertices G^ 
and the associated process {x[ , i £ {0, . . . , n — 1}) satisfy- 
ing the equations of our model on G (n) . We assume that our 
family of random graphs converges locally to a tree as de- 
scribed in previsous section. This property is true for sparse 
random graphs [2]. It can be shown that the process X^ n ' is 
asymptotically equivalent to the process defined on the tree, 
i.e. the corresponding LMF model described in previous sec- 
tion [10] . Hence we restict our analysis to the LMF model 



and the quantities computed here correspond to the asymp- 
totic values of the corresponding quantites for the process 
X*-' 1 ' for large values of n. 

Let 7 be the fraction of the population investing in self- 
protection. Then by symetry, the random variables Di are 
i.i.d. Bernoulli r.v. with parameter 7. Thanks to the results 
of the previous section, we can compute the law of the Xi's. 
From this law, we can compute the corresponding probabil- 
ity of loss depending on the choice made to invest or not. 
Then one has to check self-consistency: the fraction of the 
population for which the best-response consists in invest- 
ing in self-protection should be 7. Hence to solve our LMF 
model, we need to solve the following fixed point equation: 

JV, 7 



E[X{D)\D = 0] 

JV 

= 1 - 1 (l-A N )U(l-B?Y t ) 



E[X(D)\D 



1 — E 



{l-A^llil-BfYi) 



P(C < C 7 ), 



(9) 



(10) 

(11) 
(12) 



where the distribution of X(D) is given by or equiva- 
lently the Yi are i.i.d. Bernoulli r.v. with parameter ^1(7) 
given by Proposition [T] 

Let 7* be a solution of this fixed point equation. Then we 
have the following interpretations: 7* is the fraction of the 
population investing in self-protection, p^' 7 is the prob- 
ability of loss for an agent not investing in self-protection 
and p s '~' is the probability of loss for an agent investing in 
self-protection. Hence the average probability of loss is 

E[X(D)] = 7 */' 7 * + (1 - 7> JV ' 7 *- 

The outcome of rational behavior by self-interested agents 
can be inferior to a centrally designed outcome. By how 
much? The price of anarchy, the most popular measure of 
the inefficiency of equilibria, is defined as the ratio between 
the worst objective function value of an equilibrium of the 
game and that of an optimal outcome (possibly centralized 
in which case it will not be described by the model intro- 
duced above) . In our setting, the cost incurred to agent i is 
Ci +pf@i + i»(p< ) if it invests in security and pfli + itiiPi 1 ) 
otherwise. So for a given equilibrium, we can compute the 
total cost incurred to the population. The price of anarchy 
is the ratio of the largest (among all equilibria) such cost 
divided by the optimal cost. The price of anarchy is at least 
1 and a value close to 1 indicates that the given outcome is 
approximately optimal. We refer to [13] for an introduction 
to the inefficiency of equilibria (in particular chapter 17). 
We show in the next section how to compute this price of 
anarchy. 

4. NETWORK EXTERNALITIES AND THE 
DEPLOYMENT OF SECURITY FEATURES 

We next use our LMF model to compare the following 
situations: 

• Case 1: Strong protection. If an agent invest in self- 
protection, it cannot be harmed at all by the actions 
or inactions of others: p~ = q~ = (this is as in |12j ) 



• Case 2: Weak protection. Investing in self-protection 
does not change the probability of contagion: q + — q~ 
(as in [TO]) 

In both cases, agents that invest in self-protection incur some 
cost and in return receive some individual benefit through 
the reduced individual expected loss. But part of the benefit 
is public, namely the reduced indirect risk in the economy 
from which everybody benefits. Hence, there is a negative 
externality associated with not investing in self-protection, 
namely the increased risk to others. 

4.1 Erdos-Renyi graphs 

We analyze our model on a large sparse random graph 
G (n) = G(n,X/n) on n nodes {0, 1, . . . , n — 1}, where each 
potential edge (i, j), < i < j < n— 1 is present in the graph 
with probability A/n, independently for all n(n— 1)/2 edges. 
Here A > is a fixed constant independent of n. This cor- 
responds to the case of the Erdos-Renyi graph which has 
received considerable attention in the past [BJ. As explained 
in Section [3] our analysis is not restricted to this class of 
graphs, but it is simpler in this case since the degree distri- 
bution P is a Poisson distribution with mean A (see Remark 
0. 

In this case, the fixed point equation for ^(7) in Proposi- 
tion [1] becomes: 

-\q+h 



7(1 ~P )e Xq h 



(l-7)(l-p + )e" 



Then the equations (|9]) and (|10l) are given by: 

iV,7 -1 n + n -Xq+hM 

p " — 1 — (1 — p )e H K " , 

/• 7 = l-(l-p-)e- Xq ~ Hl) . 

For simplicity, we drop the risk adverse condition, so that 
7r = and we assume that costs for the self-protection are 
the same for all agents and equal to c, and the possible losses 
are also the same and equal to I. Then we have 



(1 



-\q-h(rt) 



(1 



Recall that an agent decides to invest in self-protection iff 
c < c 7 . The monotonicity of c 7 in 7 is crucial and it depends 
on the value of the parameters (p + ,p~ ,q + ,q~). 



4.2 Case 1: Strong protection 

We first consider Case 1 where p~ 



0, so that 



and c 7 



£=(l-(l- p + )e- Xq+h ^ t. Then 

by Proposition [T] 7 1— > c 7 is non-increasing and the fixed 
point equation (|9I10I11I12[) has a unique solution. In this 
case, as 7 the fraction of agents investing in self-protection 
increases, the incentive to invest in self-protection decreases. 
In fact, it is less attractive for an agent to invest in self- 
protection, should others then decide to do so. As more 
agents invest, the expected benefit of following suit decreases 
since there is a reduction in the negative externalities which 
translates into a lower probability of loss. Hence there is a 
unique equilibrium point which is a Nash equilibrium. How- 
ever, there is a wide range of parameters for which the Nash 
equilibrium will not be socially optimal because agents do 
not take into account the negative externalities they are cre- 
ating in determining whether to invest or not. Indeed it is 
easily shown that at least for c > p + £, the price of anarchy 
is strictly larger than one (see Figure [TJ. 
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Figure 1: Price of anarchy for c/i in the vicinity of 
p + = 0.01. 



Figure 2: Price of anarchy: h* as a function of Xq^ 
with p+ = 0.01 and p~ = 0. 



Proposition 2. The fixed voint equation 19\10\11\12\) re- 

duces to 

hi 



hi 

C \ ' ~ ' / c 

It has a unique solution. The price of anarchy is given by 

c 



h = - — (l - (1 - p + ) e - Xq+h ^j and, 1 - 7 = 
solution. Th 
P a {c) = sup ■ 



7c + h(-y)£ ' 
where h(pf) is the unique solution of 

h=(l-~t)(l-(l-p + )e- x « +h ) 
See Appendix [72] for a proof. 

4.3 Case 2: Weak protection 

We now consider Case 2 where q + = q~ , so that 7 1— > c 7 
is non-decreasing. The analysis of this case is described [10] 
(see Proposition 5). The situation is quite different from 
the results we derived for Case 1 above. In particular, we 
can have two Nash equilibria involving everyone or no one 
investing in security. When there are two Nash equilibria, 
the socially optimal solution is always for everyone to in- 
vest: each agent will find that the cost of investing in self- 
protection will be justified if it does not incur any negative 
externalities and society will be better off as well. 

Proposition 3. We have c° < c 1 and 

• if c < c°, then there is only one Nash equilibrium where 
every agent invest in self-protection; 

• if c > c , then there is only one Nash equilibrium where 
no agent invest in self-protection; 

• if c° < c < c 1 , then both Nash equilibria are possible. 



The price of anarchy is given by: 
P a (c) =1V1(c° < c)- 



h{0)£ 



c + h(l)£' 

If we take p~ — 0, then we have h(l) = and h(0) = h* 
solution of h* = 1 - (1 - p + )e~ Xqh " . So that we have 

Pa(c) . 

C 

Figure [2] shows the value of h* as a function of \q + . Note 
that typically c = o(i) so that the price of anarchy can be 
substantially larger than one. 



5. DISCUSSION 

We have shown that both situations with strong or weak 
protections exhibit externalities and that the equilibrium is 
not socially optimal: therefore, there is a market failure. 
However there are several important differences to under- 
stand between strong and weak protections before trying to 
resolve this market failure. 

In case 1, the situation is similar to the free-rider problem 
which arises in the production of public goods. If all then 
agents invest in self-protection, then the general security 
level of the network is very high since the probability of loss 
is zero. But a self-interested agent would not continue to 
pay for self-protection since it incurs a cost c for preventing 
only direct losses that have very low probabilities. When 
the general security level of the network is high, there is no 
incentive for investing in self-protection. This results in an 
under-protected network. 

Note that in this case, if the cost for self-protection is not 
prohibitive, there is always a non-negligible fraction of the 
agents investing in self-protection. In case 2, the situation is 
quite different since no agent at all invests in self-protection. 
Even if a small fraction of agents does invest, and so raises 
the general level of security of the network, it is not sufficient 
for the benefit obtained by investing in self-protection for a 
new agent to be larger than the cost of self-protection. 

These facts seem very relevant to the situation observed 
in the Internet, where under-investment in security solutions 
and security controls has long been considered an issue. Se- 
curity managers typically face challenges in providing jus- 
tification for security investments, and in 2003, the Presi- 
dent's National Strategy to Secure Cyberspace stated that 
government action is required where "market failures result 
in under-investment in cybersecurity" [15] . 

It shows the power of our basic model to note that these 
interesting and very relevant phenomena emerge from our 
analysis. Note also that these phenomena correspond to 
two extreme values of the parameter q~ , namely case 1 cor- 
responds to q~ = and case 2 corresponds to q~ — q + . 
Hence taking p~ = and fixing all other parameters, we 
have a family of models indexed by q~ , denoted simply q in 
what follows, which varies 'continuously' between the two 
cases. 

Recall that q is the probability of contagion when the 
agent invests in self-protection. If q = 0, the agent is com- 
pletely secure whereas for q — q~ , agents have the same 



probability of contagion whatever their choices to invest or 
not in self-protection. Hence q can be interpreted as the in- 
verse of the quality of the technology used for self-protection. 
First note that when q = 0, the technology is 'perfect' 




| ■-q=0.15 q=0.1 q=0.05 q=0| 



Figure 3: Adoption curves 



since there is no possible loss. We are in the situation of 
case 1 and we see that due to purely economic reasons, the 
technology is under-deployed in the network because people 
'free-ride' the benefit of the technology. Consider now the 
case of an arbitrary q. Figure [3] shows the adoption curves 
for different values of q. This curve shows the fraction of 
the population investing in security technology as a func- 
tion of its cost (normalized by the loss) . Other parameters 
are p + = 0.01, q + = 0.5 and A = 10. 

We observe some counter-intuitive phenomena. First for a 
fixed price, increasing the quality of the security technology 
can lead to a decrease of its adoption in the population! Here 
is a qualitative interpretation of how this arises: when the 
technology is not very good, propagation of the epidemic is 
possible even if the agent uses the technology. Then agents 
have to pool their efforts in order to compensate for the 
weakness of the technology. In other words, a large number 
must invest in self-protection in order to have an acceptable 
level of security. But when the technology becomes better, 
then agents that did invest in it start to step down from the 
group of investors and choose to free-ride. 

Second there is a barrier for choosing self-protection (ex- 
cept when q = 0). Namely for a fixed q, we see that there is 
a range for the parameter c (close to c°) such that the popu- 
lation is 'trapped' in state N whereas for the same values of 
the parameters, the situation where a large fraction of the 
population is investing would be a sustainable equilibrium 
point. There is a possibility of tipping or cascading: induc- 
ing some agents to invest in self-protection will lead others 
to follow suit. The curves of Figure [3] allow us to quantify 
the minimal number of agents to induce in order to trigger 
a large cascade of adoption. 
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7. APPENDIX 

7.1 Proof of Proposition [T] 

Recall that the RDE is given by: 

JV* 

Y±i-(i-<t>)H(i-e k Y h ), 

fc=l 

where N* has distribution P* , 4> = DA S + (1 - D)A N , 
6 k = DB% + (1 - where D is a Bernoulli r.v. with 

parameter 7, Y and Y k are i.i.d. copies. Let ft = P(Y = 1), 
then we have 

ft = F^D = l,(l-A s )~[[(l-BlY k ) = oJ 

+P (d = 0, (1 - A") f[(l - B?Y k ) = 

= 7(1 - ¥{A S = 0))E [p(Bf Y k = 0)"*] 

+ (1 - 7 )(1 - F(A N = 0))E [P(5f Y fc = 0)"*] , 

and the first part of Proposition [1] follows. 
We define: 

f(x,i) = l-y(l-p-)G N *(l-q-x) 

-(l-j)(l-p + )G N *(l-q + x), 

so that ft is solution of the fixed point equation ft — /(ft, 7). 
By taking the derivate of / in x, we see that x 1— > f(x, 7) 
is a non-decreasing concave function. Note that /(0, 7) = 
7P" + (1 - 7)p+ > (1 - 7)p + and /(1,7) < 1. So that 
for 7 < 1, there exists a unique solution to the fixed point 
equation h = /(ft, 7). If 7 = 1, we have /(0, 1) = p~ and 
/(l, 1) < 1. Then if p~ = 0, the fixed point equation has a 
unique solution h = and if p~ > 0, then /(0, 1) > and 
the fixed point equation has still an unique solution. 

We now prove that the function 7 ^(7) is non-increasing. 
By taking the derivate of the function 7 1— > f(x, 7), we see 
that this function is non-increasing in 7 (while x is fixed). 
Then for u < v, we get 

f(h(u),u) = h(u) > f(h(u),v) > f(f(h(u),v),v) > h(v), 
and the claimed monotonicity of h follows. 

7.2 Proof of Proposition H 

Recall that the fixed point equation for h(-y) is: 

ft = (l-7)(l-(l-p + )e~ A9+ ' 1 )- 

Consider now that the cost c and loss I are random variables 
such that the function t 1— » P(c/£ < t) is continuous, then 
Equation (fl2|) is 

7 = p(c<^l-(l-p+)e- A9+ ' l(7) ^ 




Since the function ft is non-increasing, we see that the right- 
hand side of the first line is a non-increasing function in 7, 
hence there exists a unique solution 7* to this fixed point 



equation. If we take a sequence of distributions such c/l 
tends to a constant, we see that the solution 7* is such that 

c = ft(7*) 
I 1 - 7* ' 

and the first part of Proposition [2] follows. 

Note that we have p N '"' — h(-y)/(l — 7). So for a fixed 
7, the average cost incured to the population is 7c + (1 — 
, y)p N '~ l £ — 7c + h(-y)£. Now for 7 = 7*, we have h( / y*)£ = 
(1 — 7*)c, so that the average cost is just c and the last part 
of Proposition [2] follows. 



